Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)


You must fulfill the following prerequisites to deploy Kyvos in a GCP environment. 
Permissions required by Google Console users:  

  1. Logged-in users should have the privilege to launch deployment in GCP Deployment Manager.

  2. Logged-in users must have the Viewer predefined role attached

  3. Logged-in user will need access to VPN, Subnet, Network Interface/Security Group, and Service Account, which will be used by Kyvos to launch compute engines, Dataproc, and Instance Group.

  4. You must create a custom role. To do this, click Roles > Create new role
    Provide a name like Kyvos-deployment-role; assign the following permissions, and then attach to the logged-in user service account.

    1. deploymentmanager.deployments.create  

    2. deploymentmanager.deployments.delete  

    3. deploymentmanager.deployments.get  

    4. deploymentmanager.deployments.list  

    5. deploymentmanager.deployments.update  

    6. deploymentmanager.manifests.get  

    7. deploymentmanager.operations.get  

    8. storage.objects.get

    9. compute.subnetworks.use 

Note

The above permissions are only required to launch deployment. To view the resources after deployment, the user must have permission on the relevant resources.

  1. The GCP Deployment manager template is deployed through the logged-in user, and the resources inside the template are created through the default service account of GCP Deployment Manager. 
    To create other Google Cloud resources, Deployment Manager uses the credentials of the Google APIs Service Agent to authenticate to other APIs. The Google APIs Service Agent is designed specifically to run internal Google processes on your behalf. This service account is identifiable using the email: [ PROJECT_NUMBER]@cloudservices.gserviceaccount.com

    1. The above service account must  have the Editor predefined role attached.

    2. Compute Network User: If using a Shared Network, grant the above service account the 'Compute Network User' predefined role to the project where the network originally resides.

  2. Static External IP will be required.

  3. Private Google Access must be enabled for the subnet that you will use for deploying Kyvos and Dataproc clusters.

  4.  Secret Manager API Should be enabled.

  5. If ephemeral IP is selected during Kyvos deployment then the address to static must be promoted . Conversely, if ephemeral IP is not selected, then while restarting the VM, following error messages will appear:

    1. URLs received via email notification will no longer be correct as the IP will change.

    2. URL on Kyvos Manager page to navigate to Kyvos will not be correct as the IP will change.

  6. If the deployment network is in the standard tier, the external static IP should be in the standard tier. Conversely, if the deployment network is in the premium tier, the external static IP should be in the premium tier.

  7. Below are the prerequisites When selected "None" for External IP

    1. Enable Public NAT Gateway, which will let VM connect to Internet Privately without External IP

    2. Use respective VPC which has tunneling configured.

Note

If the prerequisites mentioned above are not completed, there will be discrepancies in Installing Kyvos.

  • No labels